Between April 17 and April 19, 2011, Sony became aware that the PlayStation Network (PSN) and Qriocity user account information was compromised in conjunction with a breach into Sony?s network. These services allow users to play games with others on the Internet, make in-game purchases and stream music and movies to Sony devices.
On Wednesday, April 20, PlayStation Network and Qriocity services were disabled to investigate the incident. Most alarming is the database of customer information exposed to the unknown attacker. This database may include the following data: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, handle/PSN online ID, as well as profile data including purchase history and billing address (city, state, zip), and PlayStation Network/Qriocity password security answers.
Soon after the breach occurred, Sony publicly stated on their blog that all customer information was encrypted. They later corrected this statement to indicate that the information was hashed, not encrypted. Data properly encrypted is difficult or impossible for a potential attacker to decrypt. Hash values are not designed to protect the confidentiality of data from an attacker and may be much easier for an attacker to convert the hashes into cleartext values. Sony has not released critical details, including the hash algorithm and whether a salt was used to increase protection. In the worst case scenario, weak protection of private user data may allow an attacker to deduce the cleartext value of hashed values.
On April 30, 2011, Sony announced that they hoped to begin restoring services within the week. Sony also reports that they have been working with several external security firms to investigate the breach and implement enhanced security controls to protect their online services. Reports indicate that Guidance Software and Data Forte have both been engaged to investigate the incident.
It was reported that the data records of 70 million users were exposed. On Tuesday, May 3, 2011, Sony announced that an additional 24.6 million customers are affected in the breach.
Networked assets operated by unrelated third party institutions may be exposed to collateral damage due to the theft of a large number of authentication credentials in the Sony incident. It is, unfortunately, not uncommon for people to use the same login and password combination to control access to multiple online accounts. For example, an employee at a company may use the same password for access to Sony's resources and access to employer resources. It is highly possible that login credentials obtained via the Sony breach could provide an adversary with unauthorized access to third party systems.
The CTU analysts strongly advise organizations to implement policies and best practices aimed at encouraging use of unique passwords, such as:
- Frequent periodic requirement to change passwords
- Enforcement of minimum new password strength requirements
- Restricting re-use of prior passwords via password history
- Use of two-factor authentication systems
- Use of secure password managers
If you are a Sony PlayStation Network or Qriocity customer, you should have already received an email from Sony offering guidance on how to proceed. Sony will not contact any users requesting additional information. Users should maintain a heightened level of vigilance with respect to potential scams and attempts to commit fraud with the stolen data. If you had credit card information on file with Sony, then you should monitor your credit activity and call your bank or credit card company to obtain a new card number. When Sonys online services are fully restored and you are able to log in, you should change your password immediately.
It will be interesting to learn more details and understand how the PlayStation Network was breached as Sony discloses additional information. This breach underscores the dangers of using the same credentials across multiple services, such as email addresses, passwords, secret phrases, and payment information. We should all make sure we do not use the same passwords for our various online accounts. Using unique credentials limits the potential impact to the security of our accounts when breaches inevitably occur.